hi guys,

im new to this forum, i came here with the hope to find any solution for the BKDR_IRCFLOOD.X i caught up myself. Now i see u guys have either no solution. to me it happens the same way like to many of other guys in here as well. housecall found the trojan, i dont have IEEXEC.EXE nor any registry entries of it on my system. so the housecall "get rid" suggestions wont work for me. thats why i did some investigations on it

let me explain what i discovered so far. all started when i got pmed by a mate from a chan with a link inside what i clicked... dumbass me smile a couple of days later i wondered why i got scanned many times a day for Sokets de Trois v1, more then 20 times a day. my Norton Personal Firewall blocked them away, hopefully... by chance i found that housecall virus scan thingy and for pure curiosity i ran that scan and... BINGO, infected.
as i said above housecalls suggestions dont work for me so i started to investigate. i read several boards and such and found on that way this one here.
at first i noticed the Notepad.exe in my system32 folder which i dumped. after that i ran a registry cleaner which found 46!!! links related to notepad.exe in the system32 folder. i removed all of them and the system runs still solid. now i havent been scanned for Sokets de Trois v1 anymore. then i got HijackThis for informations on what is going on on my system. it detects anything what has been executed on the system. there were no suspects. probably u guys may be helped by it.
then i got Process Explorer which gives u infos on what is loaded. unfortunatly it wasnt any help for me but probably for u guys.

because im either not that trojan hunter crack, this is my first one, i thought why not to compare the HijackThis scans and probably we together are able to find that shitty thing.

this is my scan after starting mirc without doing the housecall clean up

Logfile of HijackThis v1.97.7
Scan saved at 19:26:41, on 20.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\Internet Security\Tmntsrv.exe
C:\Programme\Trend Micro\Internet Security\tmproxy.exe
C:\Programme\Norton Personal Firewall\NISSERV.EXE
C:\Programme\DU Meter\DUMeter.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\Norton Personal Firewall\IAMAPP.EXE
C:\Programme\Trend Micro\Internet Security\pccguide.exe
C:\Programme\Trend Micro\Internet Security\PCClient.exe
C:\Programme\Trend Micro\Internet Security\TMOAgent.exe
C:\Programme\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\WebWasher\wwasher.exe
C:\Programme\TuneUp Utilities\MemOptimizer.exe
C:\Programme\STK007\STK007M.exe
C:\Programme\ISDN Monitor\ISDNMO32.EXE
C:\Programme\Topdesk\TDeskDEU.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Winamp\winamp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\mIRC\mirc.exe
C:\Programme\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freenet.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DU Meter] C:\Programme\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iamapp] C:\Programme\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programme\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Programme\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Programme\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WebWasher] C:\Programme\WebWasher\wwasher.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] C:\Programme\TuneUp Utilities\MemOptimizer.exe autostart
O4 - Startup: ISDN Monitor 32.lnk = C:\Programme\ISDN Monitor\ISDNMO32.EXE
O4 - Startup: TDeskDEU.lnk = C:\Programme\Topdesk\TDeskDEU.exe
O4 - Startup: Windows-Explorer.lnk = C:\WINDOWS\explorer.exe
O4 - Global Startup: STK007 PNP Monitor.lnk = ?
O8 - Extra context menu item: Zur Filterliste hinzufgen (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.6180902778
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/de/techsupp/activedata/ActiveData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F49DA492-7B88-463F-B389-CA9A02F6DA76} - http://www.seagate.com/support/disc/asp/tools/de/bin/npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EB636CB-9E81-4A9E-8E36-3769378FD4E5}: NameServer = 213.148.129.10 213.148.130.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{261BF471-5B25-4DE2-90B9-562280EE3F6B}: NameServer = 192.168.120.252,192.168.120.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4DB604B-581A-43A1-B664-34252880D5D4}: NameServer = 192.168.1.1


Togi

Last edited by Togi24; 20/04/04 05:50 PM.